Removing an LDAP attribute regardless of its value

[Dick Visser]

Hii,

I am trying to remove an attribute from an LDAP entry, in this case the password that was put in during installation of the slapd package.

Initially I have this:

root@dick-dev1:~# ldapsearch -Q -LLL -Y EXTERNAL -b cn=config olcDatabase={1}mdb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=geant,dc=org
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=geant,dc=org
olcRootPW: {SSHA}tRU7YUk8WUdcA04ZbYAv1985nUcMrjRZ
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

This LDIF:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcRootPW

can be successfully used with ldapmodify:

root@dick-dev1:~# ldapmodify -Y EXTERNAL -f bar.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

After which the entry looks like this:

root@dick-dev1:~# ldapsearch -Q -LLL -Y EXTERNAL -b cn=config olcDatabase={1}mdb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=geant,dc=org
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=geant,dc=org
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

I.e., the olcRootPW attribute is now gone. Great.

I want to use ansible to achieve the same thing, but I can't figure out how to do that.

I can't use ldap_entry because that can only remove entire entries.

According to https://docs.ansible.com/ansible/latest/collections/community/general/ldap_attrs_module.html, this is to "Add or remove multiple LDAP attribute values".

That seems like what I need.

But according to https://docs.ansible.com/ansible/latest/collections/community/general/ldap_attrs_module.html#parameter-attributes:

    The attribute(s) and value(s) to add or remove.

That works, but I need to supply both the attribute AND its value.

I cannot seem to remove just the attribute, regardless of its value.

Any idea how to do that? I.e. without adding helper tasks to first check if the attribute exists, and if so, get its value?

thx :)

thx

Dick

[Andrew Latham]

Sounds fun, I landed on https://git.theo-andreou.org/Personal/ansible-ldap-modules/src/commit/03bc81122d419a0cede79a97d802af2fb700d73d/README.md?lang=tr-TR#user-content-removing-an-attribute which might do what you want

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLZJ%3DU2fmN1Y3%3DhhveBzD8_e%3DOtN6tmByNDnfJdbRWjSSw%40mail.gmail.com.

--

- Andrew "lathama" Latham -